[RESOLVED] Free Zonalarm missing and will not reload

[Clive Wraight]

I originally posted this on the spyware forum
I have recently noticed that my "free Zonealarm" has gone missing from my pc. I don't know how it was deleted but anyway I am now having trouble reloading it. It gets so far then says I don't have access to make system configuration modifications and should rerun from an administrators account. I am the administrator. I have rebooted etc but still it will not load.
Windows XP service pack3. HP pentium 4. 2.8Ghz.
Old I know but it used to work fine.
I have followed instructions in the reply as follows:-
(These scans took many hours to complete hence the delay replying).
The online virus checkers given to use would not work but all else is as instructed.
Here are the requested logs :-

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/16/2009 at 11:49 PM

Application Version : 4.27.1002

Core Rules Database Version : 4275
Trace Rules Database Version: 2154

Scan type : Complete Scan
Total Scan Time : 06:33:36

Memory items scanned : 226
Memory threats detected : 0
Registry items scanned : 7023
Registry threats detected : 0
File items scanned : 130693
File threats detected : 13

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
C:\Documents and Settings\Owner\Cookies\owner@dealtime[1].txt
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt


=============================================================



Malwarebytes' Anti-Malware 1.41
Database version: 3188
Windows 5.1.2600 Service Pack 3

17/11/2009 18:15:14
mbam-log-2009-11-17 (18-15-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 246964
Time elapsed: 1 hour(s), 8 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.




GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-17 22:40:29
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxldqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF13C7930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF13D2A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF13C7F20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF13D36E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF13D3440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF13D38B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF13C7D70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xF13D4250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF13D3CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF13D4080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF13C8120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF13D3140]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F13DD330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F13C85C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F13C8770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F13C82D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F13C8670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\USB_RNDIS \Device\{2947BD30-B983-4109-9421-450C118C0EEC} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



Hijack log to follow as this post got this message

The text that you have entered is too long (20310 characters). Please shorten it to 20000 characters long.

[Clive Wraight]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:11, on 18/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Belkin Mouse 1.0\mouse32a.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: FreecycleMemberBHO - {C3E5E149-27B7-49D1-8420-B02AC52AF663} - C:\Program Files\Freecycle\FreecycleMember.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\YTSingleInstance.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [FLMBELKINMOUSE] C:\Program Files\Belkin Mouse 1.0\mouse32a.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://homebase.2020.net/Core/Player...erAX_Win32.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160671715750
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbde...ivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11482 bytes

[Broni]

There are definitely some instances of ZA running.
Try ZA uninstaller: http://download.zonealarm.com/bin/fr...cpes_clean.exe
See, if you can reinstall ZA afterwards.

[Clive Wraight]

Thanks for your reply.

When I try to run zonealarm remover this happens.
First I get "This application has failed to start because vsutil.dll was not found. Re-installing this application may fix this problem. Click OK

and then I get Check Point Endpoint security removal - A Re-start is required to complete the removal of Endpoint Security. Click OK to Re-start now.

I am forced to click OK and then it starts all over again.

I assume the logs don't show anything wrong?

[Broni]

Logs show only minor issues (so far).

Before we go to more security scans, try Revo Uninstaller: http://www.revouninstaller.com/

[Clive Wraight]

Broni, thanks. I tried to use Revo but it couldn't find anything for Zonealarms. I also tried Hunter and Junk files cleaner within Revo but nothing came up.

[Broni]

We can try to remove it manually.

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  Since those are pretty big files, you can attach them, if you wish.

[Clive Wraight]

Thanks again Broni. I was warned by Windows that OTL was unsafe but went ahead anyway.
Yesterday I did restore Zone Labs Security folder from the recycle bin (deleted previously because it did nothing) to point Revo at it so it now appears in these logs.

[Broni]

Before we go with OTL, can you check, if Revo will take care of it now (after folder restoration)?

[Clive Wraight]

I already tried it. That is why I restored the folder. I just get popup saying No installation package found. Then it says to uninstall manually.

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Code:

  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
  O4 - HKLM..\Run: [KernelFaultCheck]  File not found
  O18 - Protocol\Handler\ipp - No CLSID value found
  [2009/11/20 18:50:46 | 00,000,000 | ---D | C] -- C:\Program Files\Zone Labs
  [2009/11/19 18:23:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZA_PreservedFiles
  [2007/01/20 17:30:51 | 00,796,584 | ---- | C] () -- C:\WINDOWS\System32\libeay32_0.9.6l.dll
  [2004/10/14 17:38:26 | 00,000,024 | ---- | C] () -- C:\WINDOWS\qfnonl.ini
  [2004/10/14 17:37:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QFN.ini
  [2004/10/14 17:37:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\QDQICK.ini
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Clive Wraight]

OK here is the new OTL log

[Broni]

Try to reinstall ZA now.

[Clive Wraight]

Still get the same message that I need to be an administrator. Also I notice I now have 18Gb free space on C drive where I used to only have 9Gb.

[Broni]

Can you post fresh HJT log?